CVE-2025-60425

CVE-2025-60425 affects Nagios Fusion versions v2024R1.2 and v2024R2, where the software fails to invalidate existing session tokens upon enabling the two-factor authentication (2FA) mechanism. This flaw, classified under CWE-491 (Masking of a Critical Element), enables session hijacking attacks and carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L), indicating high severity due to its network accessibility, low attack complexity, and lack of prerequisites like privileges or user interaction.

Unauthenticated attackers can exploit this vulnerability remotely by obtaining a valid session token prior to 2FA enablement—such as through phishing, malware, or prior unauthorized access—and reusing it post-2FA activation to hijack the victim's session. Successful exploitation grants attackers high integrity impact (I:H), allowing unauthorized actions like configuration changes or data manipulation under the victim's privileges, alongside low confidentiality (C:L) and availability (A:L) impacts.

Advisories and mitigation details are available in the provided references, including the Nagios changelog at https://www.nagios.com/changelog/#fusion for patch information and GitHub repositories https://github.com/aakashtyal/Session-Persistence-After-Enabling-2FA and https://github.com/aakashtyal/Session-Persistence-After-Enabling-2FA-CVE-2025-60425 for technical analysis and proof-of-concept. Security practitioners should review these for upgrade guidance and apply patches promptly.